/    Sign up×
Community /Pin to ProfileBookmark

$_GET Issue

Copy linkTweet thisAlerts:
Jul 15.2021

Folks,

This is my url:
https://localhost/Templates/Pagination_Template.php

This is my GET Method form:
Html

[code]
<form method = ‘GET’ action = “”>
<label for=’find’>Find</label>
<input type=’text’ name=’find’ id=’find’>
<br>
Table:
<input type=’radio’ name=’table’ id=’sale’><label for=’table’>Websites On Sale</label>
<input type=’radio’ name=’table’ id=’sold’><label for=’table’>Websites Sold</label>
<input type=’radio’ name=’table’ id=’links’><label for=’table’>Links</label>
<br>
<label for=”column”>Column:</label>
<select name=”column” id=”column”>
<option value=””></option>
<option value=”domain”>Domain</option>
<option value=”email”>Email</option>
<option value=”submission_id”>Submission Id</option>
<option value=”url”>Url</option>
<option value=”anchor”>Anchor</option>
<option value=”description”>Description</option>
<option value=”keywords”>Keyword</option>
</select>
<br>
<button type=’submit’>Search!</button>
</form>
[/code]

When the form is submitted, I am taken to:
https://localhost/Templates/Pagination_Template.php?find=keyword&table=on&column=keywords

Issue is the “table=on” part. Why it says “on” and not “links” when on the dropdown I selected the option “links”.
I can understand the value is “on” if I did not select any option and the dropdown value was empty. Since I selected an option in the dropdown then the dropdown value or the value of the $_GET[table] = ‘links’. And so, in the url it should show as “table=links” and not “table=on”.
Q1. How to fix this “on” issue ?

Php

[code]
<?php

//ERROR REPORTING FOR DEVMODE ONLY.
ini_set(‘display_errors’,’1′);
ini_set(‘display_startup_errors’,’1′);
error_reporting(E_ALL);

//MYSQLI CONNECTION.
mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);

$server = ‘localhost’;
$user = ‘root’;
$password = ”;
$database = ‘brute’;

if(!$conn = mysqli_connect(“$server”,”$user”,”$password”,”$database”))
{
echo ‘Mysqli Connection Error’ .mysqli_connect_error($conn);
echo ‘Mysqli Connection Error Number’ .mysqli_connect_errno($conn);
}

if(!mysqli_character_set_name($conn) == ‘utf8mb4’)
{
echo ‘Initial Character Set: ‘ .mysqli_character_set_name($conn);
mysqli_set_charset(“$conn”,’utf8mb4’);
echo ‘Current Character Set: ‘ .mysqli_character_set_name($conn);
}

//SECTION: WHITE-LISTS.
//Valid list of Mysql Tables.
$tables_white_list = array(‘sale’,’sold’,’links’);
//Valid list of Mysql Table Columns.
$columns_white_list = array(’email’,’domain’,’url’,’anchor’,’description’,’keyword’);
//Banned Words List. Users cannot search these keywords.
$blacklisted_words = array(‘prick’,’dick’);

//SECTION: VALIDATE SERP URL.
//Check if “table” exists or not in Url’s Query String.
if(ISSET($_REQUEST[‘table’]) && !empty(trim($_REQUEST[‘table’])) && is_string(trim($_REQUEST[‘table’])))
{
if(in_array(trim($_REQUEST[‘table’]),$tables_white_list)) //MySql Tbl to Search.
{
$tbl = trim($_REQUEST[‘table’]);
}
else
{
die(‘Invalid Table!’);
}
}
else
{
die(‘Select Table!’);
}

//Check if “column” exists or not in Url’s Query String.
if(ISSET($_REQUEST[‘column’]) && !empty(trim($_REQUEST[‘column’])) && is_string(trim($_REQUEST[‘column’])))
{
if(in_array(trim($_REQUEST[‘column’]),$columns_white_list)) //MySql Tbl Col to search.
{
$col = trim($_REQUEST[‘column’]);
}
else
{
die(‘Invalid Column!’);
}
}
else
{
die(‘Select Column!’);
}

//Check if “search term” exists or not in Url’s Query String.
if(!ISSET($_REQUEST[‘find’]) || empty(trim($_REQUEST[‘find’])) && !is_string(trim($_REQUEST[‘find’])) || !is_int(trim($_REQUEST[‘find’]))) //Using $_REQUEST[] for both $_REQUEST[‘POST’] & $_REQUEST[‘REQUEST’].
{
die(‘Enter Keywords to search!’);
}
else
{
if(in_array(trim($_REQUEST[‘find’]),$blacklisted_words)) //Keyword(s) to search.
{
die(‘Your search terms contains a banned word! Try some other keywords’);
}
else
{
$find = trim($_REQUEST[‘find’]); //Not trimming or ridding trailing spaces here as user’s keyword (eg. foreign keywords or symbols) may actually contain such spaces.

if($col==’submission_id’)
{
if(!is_INT($find))
{
die(‘Enter a valid Submission Number! Can only be a numerical value.’);
}
else
{
$submission_id = $find;
}
}

if($col==’email’)
{
if(!filter_input(INPUT_GET, “email”, FILTER_VALIDATE_EMAIL))
{
die(‘Enter a valid Email!’);
}
else
{
$email = $find;
}
}

if($col==’domain’)
{
if(!filter_input(INPUT_GET, “domain”, FILTER_VALIDATE_DOMAIN))
{
die(‘Enter a valid Domain!’);
}
else
{
$domain = $find;
}
}
if($col==’url’)
{
if(!filter_input(INPUT_GET, “url”, FILTER_VALIDATE_URL))
{
die(‘Enter a valid Url!’);
}
else
{
$url = $find;
}
}

if($col==’anchor’)
{
if(!filter_input(INPUT_GET, “anchor”, FILTER_VALIDATE_STRING)) //HOW TO VALIDATE STRING ?
{
die(‘Enter a valid Description!’);
}
else
{
$description = $find;
}
}

if($col==’description’)
{
if(!filter_input(INPUT_GET, “description”, FILTER_VALIDATE_STRING)) //HOW TO VALIDATE STRING ?
{
die(‘Enter a valid Description!’);
}
else
{
$description = $find;
}
}

if($col==’keyword’)
{
if(!filter_input(INPUT_GET, “keyword”, FILTER_VALIDATE_STRING))
{
die(‘Enter a valid Keyword!’);
}
else
{
$keyword = $find;
}
}
}
}

$max = (!empty($_REQUEST[‘max’]) and intval($_REQUEST[‘max’]) > 0)
? intval($_REQUEST[‘max’]) : 1;

$page_no = (!empty($_REQUEST[‘page’]) and intval($_REQUEST[‘page’]) > 0)
? intval($_REQUEST[‘page’]) : 1;

//SECTION: QUERY DATABASE FOR KEYWORD COUNT.
$query = “SELECT COUNT(id) From links WHERE keyword = ?”;
$stmt = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt,$query))
{
mysqli_stmt_bind_param($stmt,’s’,$find);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt,$row_count);
if(mysqli_stmt_fetch($stmt))
{
echo ‘Row Count: ‘ .$row_count; echo ‘<br>’;
}
else
{
echo ‘Record fetching failed!’;
echo ‘Error: ‘ .mysqli_stmt_error($conn);
echo ‘Error: ‘ .mysqli_stmt_errno($conn);
}
mysqli_stmt_close($stmt);
}
else
{
echo ‘find Preparation Failed!’;
}
//mysqli_close($conn);
echo ‘<b>’; echo __LINE__; echo ‘</b>’; echo ‘<br>’;

//SECTION: QUERY DATABASE FOR SEARCH-TERM MATCHES.
echo $offset = ($page*$max)-$max; echo ‘<br>’;
$query = “SELECT id,date_and_time,name,age,zip,phone,mobile,fax,email,domain,url,description From links WHERE $tbl = ? LIMIT $offset,$max”;
$stmt = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt,$query))
{
mysqli_stmt_bind_param($stmt,’s’,$find);
mysqli_stmt_execute($stmt);
if($result = mysqli_stmt_get_result($stmt))
{
$columns = mysqli_fetch_array($result);

$submission_id = $columns[‘id’];
$submission_date_and_time = $columns[‘date_and_time’];
$email = $columns[’email’];
$domain = $columns[‘domain’];
$url = $columns[‘url’];
$anchor = $columns[‘anchor’];
$description = $columns[‘description’];
$keyword = $columns[‘keyword’];

echo ‘Submission Id: ‘ .$submission_id; echo ‘<br>’;
echo ‘Submission Date And Time: ‘ .$submission_date_and_time; echo ‘<br>’;
echo ‘Email: ‘ .$email; echo ‘<br>’;
echo ‘Domain: ‘ .$domain; echo ‘<br>’;
echo ‘Url: ‘ .$url; echo ‘<br>’;
echo ‘Anchor: ‘ .$anchor; echo ‘<br>’;
echo ‘Description: ‘ .$description; echo ‘<br>’;
echo ‘Keyword: ‘ .$keyword; echo ‘<br>’;
//WHICH OF THE FOLLOWING TWO ECHOES IS BEST ?
echo ‘Link: <a href=’ .'”‘ .strip_tags($url) .'”‘ .’>’ .'<b>’ .strip_tags($url) .'</b>’ .'</a>’; echo ‘<br>’; //Need to add your aided code on this line before echoing third party submitted links on my page. Your code needs to detect url structure and break them up into pieces and apply the appropriate php function (urlencode(), raw_urlencode(), htmlentities(), htmlspecialchars(), intval() on the appropriate pieces.
echo ‘Link: <a href=’ .'”‘ .htmlspecialchars($url) .'”‘ .’>’ .'<b>’ .htmlspecialchars($url) .'</b>’ .'</a>’; echo ‘<br>’; //Need to add your aided code on this line before echoing third party submitted links on my page. Your code needs to detect url structure and break them up into pieces and apply the appropriate php function (urlencode(), raw_urlencode(), htmlentities(), htmlspecialchars(), intval() on the appropriate pieces.
}
else
{
//Error Messages for Production Mode only.
echo ‘Record fetching failed!’;
echo ‘Error: ‘ .mysqli_stmt_error($stmt);
echo ‘Error: ‘ .mysqli_stmt_errno($stmt);
}
mysqli_stmt_close($stmt);
}
mysqli_close($conn);

//SECTION: PAGINATION SECTION TO NUMBER THE SERPS AND LINK THEM.
$total_pages = ceil($row_count/$max);
//Grab the current page’s url.
$selfpage = basename(__FILE__,”); //Echoes: url_encode_Template.php. Does not fetch the url’s query terms (params & their values absent).
//Encode the File Path.
$path = rawurlencode($selfpage);
//Encode the Query String in the url.
$query_string_1 = ‘?find=’ .urlencode($find) .’&table=’ .urlencode($table) .’&column=’ .urlencode($column) .’&max=’ .intval($max);

//1. WHICH WHILE LOOP IS BEST ?
$i = ‘1’;
while($i<=$total_pages)
{
$query_string_2 = ‘&page=’ .intval($i);
$url = $path .htmlentities($query_string_1) .htmlentities($query_string_2); //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
//Bold the current Page numbered link.
echo ‘<a href=’ .'”‘ .$url .'”‘ .’>’ .'<b>’ .intval($i) .'</b>’ .'</a>’;
}
else
{
echo ‘<a href=’ .'”‘ .$url .'”‘ .’>’ .intval($i) .'</a>’;
}
$i++;
}

echo ‘<br>’;

//2. WHICH WHILE LOOP IS BEST ?
$i = ‘1’;
while($i<=$total_pages)
{
$query_string_2 = ‘&page=’ .intval($i);

if($page == $i)
{
//Bold the current Page numbered link.
echo ‘<a href=’ .'”‘ .”$path” .htmlentities($query_string_1) .htmlentities($query_string_2) .'”‘ .’>’ .'<b>’ .intval($i) .'</b>’ .'</a>’;
}
else
{
echo ‘<a href=’ .'”‘ .”$path” .htmlentities($query_string_1) .htmlentities($query_string_2) .'”‘ .’>’ .intval($i) .'</a>’;
}
$i++;
}

//3. WHICH WHILE LOOP IS BEST ?
$i = ‘1’;
while($i<=$total_pages)
{
$query_string_2 = ‘&page=’ .intval($i);
$url = $path .$query_string_1 .$query_string_2; //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
//Bold the current Page numbered link.
echo ‘<a href=’ .'”‘ .htmlspecialchars($url) .'”‘ .’>’ .'<b>’ .intval($i) .'</b>’ .'</a>’;
}
else
{
echo ‘<a href=’ .'”‘ .htmlspecialchars($url) .'”‘ .’>’ .intval($i) .'</a>’;
}
$i++;
}

echo ‘<br>’;

//4. WHICH WHILE LOOP IS BEST ?
$i = ‘1’;
while($i<=$total_pages)
{
$query_string_2 = ‘&page=’ .intval($i);
$url = $path .htmlentities($query_string_1) .htmlentities($query_string_2); //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
//Bold the current Page numbered link.
echo ‘<a href=’ .'”‘ .htmlspecialchars($url) .'”‘ .’>’ .'<b>’ .intval($i) .'</b>’ .'</a>’;
}
else
{
echo ‘<a href=’ .'”‘ .htmlspecialchars($url) .'”‘ .’>’ .intval($i) .'</a>’;
}
$i++;
}

echo ‘<br>’;

?>
[/code]

Q2. Do you see the 4 WHILE loops ? Which one is invalid due to me misusing or over using htmlspecialchars() or htmlentities() ?

to post a comment
PHP

0Be the first to comment 😎

×

Success!

Help @developer_web spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...